[Bro] About the question that Bro will lost the logs every time When execute ”bro -r xxx.pcap"
Bowen Li
newfire.bw at gmail.com
Sun Jun 24 19:00:59 PDT 2018
Hi 军波,
I think bro just truncate the log file, Ascii::DoInit function in file
/logging/writers/ascii/Ascii.cc open log file in 'O_WRONLY | O_CREAT |
O_TRUNC' mode,so if you want to append logs, maybe you need to change 'O_TRUNC'
to 'O_APPEND'.
I have not verified this method, hope this will help you.
Bowen Li
彭军波 <pengjunbo at 1218.com.cn> 于2018年6月13日周三 上午9:27写道:
>
> Hi,
>
> When I execute "bro -r xxx.pcap" command,the logs which generated last
> time would be covered (may be removed ).What I want to ask is How to keep
> the logs that were generated by using "bro -r xxx.pcap" command last time?
> If Bro have a feature to keep the logs file adding to the tail every time?
>
> Thanks so much!
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180625/c7977109/attachment.html
More information about the Bro
mailing list